Friday, June 5, 2015

Forensic Imaging and their Formats - DD (raw)

Forensics imaging is the
process of making an exact copy of a hard drive and or some other type of
media. During the process, every 0 and 1 on the original disk/media is copied
to the target disk/media. Prior to performing imaging, the destination drive
must be zeroed or blanked (whereismydata.wordpress.com, 2009).

The
raw image format is a bit-by-bit copy of the raw data on the source media
without any additions and or deletions. Images produced in raw format does not
contain any metadata. However, this metadata may be stored in additional files.
Tools such as dd and it’s derivatives (dc3dd, dcfldd, etc) typically writes
images in the raw format (forensicswiki.org,
n.d.).

The
image below shows a successful acquisition of the contents of the drive
/dev/sdb1. The input md5 and sha1 values of /dev/sdb1 matches the output value
of the created image “forensicsImage.raw”

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis